Serverless computing is increasingly adopted for AI-driven workloads due to its automatic scaling and pay-as-you-go model. However, its function-based architecture creates significant security risks, including excessive privilege allocation and poor permission management. In this paper, we present ALPS, an automated framework for enforcing least privilege in serverless environments. Our system employs serverless-tailored static analysis to extract precise permission requirements from function code and a fine-tuned Large Language Model (LLM) to generate language- and vendor-specific security policies. It also performs real-time monitoring to block unauthorized access and adapt to policy or code changes, supporting heterogeneous cloud providers and programming languages. In an evaluation of 8,322 real-world functions across AWS, Google Cloud, and Azure, ALPS achieved 94.8\% coverage for least-privilege extraction, improved security logic generation quality by 220\% (BLEU), 124\% (ChrF++) and 100\% (ROUGE-2), and added minimum performance overhead. These results demonstrate that ALPS provides an effective, practical, and vendor-agnostic solution for securing serverless workloads.

翻译：无服务器计算因其自动扩展和按需付费模式，在人工智能驱动的工作负载中日益普及。然而，其基于函数的架构产生了显著的安全风险，包括过度权限分配和权限管理不善。本文提出ALPS，一种在无服务器环境中自动实施最小权限的框架。该系统采用针对无服务器场景定制的静态分析技术，从函数代码中提取精确的权限需求，并通过微调的大型语言模型生成语言及供应商特定的安全策略。此外，它还能实时监控以阻断未授权访问，并适应策略或代码变更，支持异构云提供商和编程语言。在涵盖AWS、Google Cloud和Azure平台上8,322个真实世界函数的评估中，ALPS在最小权限提取方面达到94.8%的覆盖率，安全逻辑生成质量提升220%（BLEU）、124%（ChrF++）和100%（ROUGE-2），且性能开销极低。这些结果表明，ALPS为保障无服务器工作负载的安全提供了一种高效、实用且与供应商无关的解决方案。